CVE-2024-29027 CRITICAL

CVE-2024-29027: Parse Server crash and RCE via invalid Cloud Function or Cloud Job name

Vendor Parse-Community
Product parse-server
Weakness CWE-74
Published March 19, 2024
Last update August 2, 2024

CVSS base score

9.1/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 6.5.5 and 7.0.0-alpha.29, calling an invalid Parse Server Cloud Function name or Cloud Job name crashes the server and may allow for code injection, internal store manipulation or remote code execution. The patch in versions 6.5.5 and 7.0.0-alpha.29 added string sanitation for Cloud Function name and Cloud Job name. As a workaround, sanitize the Cloud Function name and Cloud Job name before it reaches Parse Server.

Key dates

02Disclosure timeline

March 19, 2024 CVE published
August 2, 2024 Record updated